The open source Mattermost Team Edition is used by thousands of teams around the world. Development is aided by hundreds of open source contributors, with full access to the product source code, who have a vested interest in keeping the software secure and vetted.

The commercial Mattermost Enterprise Edition extends the security and productivity benefits of the open source solution with support for advanced security, management, scale and policy compliance features for complex organizations.

Mattermost uses a responsible disclosure policy to accept confidential reports of new threats, so they can be addressed either immediately through a dot release, or by the next monthly release depending on potential impact.

When Mattermost software undergoes security and penetration testing at customer sites security updates are added to the core software and publicly documented by release.

Do you maintain a quality management system (QMS) approved by management? Does your quality management system (QMS) include coverage for software application security principles?

Yes.

Is quality management system (QMS) content published and communicated to all relevant employees?

Yes.

Is quality management system (QMS) content reviewed and updated (if appropriate) at least once per year?

Yes.

Is there defined management oversight who is responsible for application quality and security reporting & signoff?

Yes.

For all IT systems including but not limited to servers, routers, switches, firewalls, databases, and external social spaces, is management approval required prior to creating all user and privileged accounts (e.g., system or security administrator)?

Yes.

For all IT systems including but not limited to servers, routers, switches, firewalls and databases, are privileged accounts (e.g., system or security administrator) logged at all times and reviewed on at least a quarterly basis?

Yes.

Are all system, application and device password files encrypted using an industry standard encryption algorithm where technically feasible?

Yes

For all IT systems including but not limited to servers, routers, switches, firewalls and databases, do privileged accounts (e.g., system or security administrator) that communicate directly with the Internet, contain any personally identifiable information (PII) such as: social security numbers, credit card numbers, patient health record information, or other confidential records?

Are unique user IDs required for all user and privileged accounts (e.g., system or security administrator) to access all IT systems including but not limited to servers, routers, switches, firewalls and databases?

Yes.

Are passwords required for all user and privileged accounts (e.g., system or security administrator) to access all IT systems including but not limited to servers, routers, switches, firewalls and databases?

Yes.

Are there written network password policies and/or procedures?

Yes.

Is password administration employed for critical systems?

Yes.

Are passwords prevented from being displayed in clear text during user authentication or in electronic/printed reports?

Yes.

If user accounts are assigned to non-permanent personnel (e.g., contractors, consultants) for troubleshooting purposes, are the accounts disabled or removed after each use?

Is there a risk assessment program that has been approved by management, communicated to appropriate personnel and has an owner to maintain and review the program?

Yes.

Is there an information security policy that has been approved by management, communicated to appropriate personnel and has an owner to maintain and review the policy?

Yes.

Is there a vendor management program?

Yes.

Is there a respondent information security function responsible for security initiatives?

Yes.

Is there an asset management policy or program that has been approved by management, communicated to appropriate personnel and has an owner to maintain and review the policy?

Yes.

Are management approved operating procedures utilized?

Yes.

Is there an operational change management / change control policy or program that has been approved by management, communicated to appropriate personnel and has an owner to maintain and review the policy?

Yes.

Are system backups performed?

Yes.

Are firewalls in use for both internal and external connections?

Yes.

Are firewalls or IPS(s) secured against unauthorized access from the Internet, Extranet and Intranet users?

Yes.

Are vulnerability assessments, scans or penetration tests performed on internal or external networks?

Yes.

Are incoming e-mails scanned for questionable file attachments?

Yes.

Does the company use spam filtering software to reduce the number of unsolicited e-mails?

Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of outstanding regulatory issues?

Yes.

Are there policies and procedures to ensure compliance with applicable legislative, regulatory and contractual requirements to address intellectual property rights on business processes or information technology software products?

Yes.

Is there a records retention policy covering paper and electronic records, including email in support of applicable regulations, standards and contractual requirements?

Yes. For example, records of customers with NDAs are retained in the event an NDA is terminated and requires destruction of records.

Is licensing maintained in all jurisdictions where the business operates or where licensing is required?

Yes.

Is there an internal compliance and ethics program to ensure professional ethics and business practices are implemented?

Yes.

Are policies and procedures maintained for enabling compliance with applicable legal, regulatory, statutory, or contractual obligations related to any information security requirements?

Yes.

Is there a formalized governance process to identify and assess changes that could significantly affect the system of internal controls for security, confidentiality and availability?

Technical infrastructure, including network security, servers and access control protocols are regularly reviewed for potential threats and vulnerabilities.

Business process, HR process and policies are regularly reviewed for potential threats and vulnerabilities.

A penetration test on the software is performed regularly. A copy of penetration results may be requested by customers upon five (5) day written notice at any time, but no more than once per twelve (12) month period.

This document outlines Mattermost, Inc.’s Disaster Recovery and Business Continuity Plan (DRBCP) informed by the Federal Financial Institutions Examination Council guidelines on Business Continuity Planning in the context of Mattermost, Inc. being a vendor providing self-hosted software and consulting services to financial institutions.

Because Mattermost software runs within a customer’s data center, behind a customer’s firewall and existing layers of security, without dependency to services hosted by Mattermost, the disruption of the business continuity of Mattermost, Inc. does not immediately impact the operating continuity of its customers. It does affect Mattermost’s ability to answer support requests, provide consulting services and provide new improvements or patches to Mattermost software.

At a high level, precautions include:

DRBCP is tested, evaluated and refined annually to ensure our processes are working and up-to-date

As support is the most critical service offered, multiple channels for support engagement are available and monitored, including email, a Mattermost community server available on web, desktop and mobile, online forums, online forms, social media channels (Twitter and Facebook), and for Premier Support customers, we offer a telephone-based call center.

Subject Matter Experts for escalations are available in at least three centers in different timezones to provide redundant coverage should communication with one or multiple centers be disrupted. Mattermost staff use a diverse set of operating systems, including Mac, Windows and different distributions of Linux, and a diverse set of global internet service providers, to reduce the potential damage of a single strain of malware, single desktop computing exploit or single telecommunications outage.

As further redundancy, we have a network of partners around the world skilled in Mattermost technologies to be contacted for assistance for critical customer issues.

As further redundancy, we have a community of several hundred engineers around the world and over a thousands contributors to our online forums, who have sufficient access and expertise in Mattermost’s open source technologies that could be contact in the highly unlikely event both Mattermost, Inc. and our partner networks are unable to service our customers.

As further redundancy, Mattermost provides open source code for its core server technology, mobile applications, desktop applications and a wide array of extensions which allows customers to have transparency into the functionality of the software and solve the issue with their internal technical teams should a massive worldwide failure of Mattermost, Inc., its partners and its community arise.

Mattermost, Inc. is headquartered in Palo Alto, California with a distributed organization across three timezones, and is therefore not easily affected by typical causes of business disruption, such as local failures of equipment, power, telecommunications, social unrest, fire, or natural disasters. Even so, threats considered in the context of business continuity are categorized by impact of the disruption.

Priority 1: Outages that would have immediate impact on a Mattermost customer¶

Level 1 (Critical Business Impact) and Level 2 (Major Business Impact) support requests are received by on-call support staff, as well as three supervisory staff who can monitor and escalate issues should the assigned staff member appear to be unavailable or unable to respond to the request within the SLA time allotted.

As an additional safeguard, when an L1 or L2 escalation is reported, a notification is sent via the company’s internal Mattermost instance to all qualified support staff to be aware of the issue, and any member can step in if it seems follow-up may not be achieved within SLA expectations.

Mitigation(s):

Mattermost, Inc. employs support staff and engineers in multiple timezones to increase availability, reduce response times and to reduce the risk that key support staff would be unavailable to service emergency requests.

Outage due to malicious software (viruses, works, trojans and similar)¶

Effect:

Reduced capacity to continue business operations, depending on attack.

Solution(s):

Mattermost, Inc. staff uses multiple anti-virus solutions for detecting and removing malicious software and regularly backs up key systems to delete infected systems and re-deploy its infrastructure. Moreover, the company uses a range of Windows, Mac and Linux-based workstations, reducing the probability of a company-wide disruption from a single strain of malicious software.

Mattermost, Inc. employs staff and engineers in multiple timezones and geographic areas, reducing the risk of significant disruption that an influenza pandemic or infectious disease outbreak would cause to business operations.

While there is no current failover plan should our online CRM system become disrupted, we have SLAs with our CRM vendor–which is used by thousands of other organizations–and believe the probability of sustained outage is low.

Priority 4: Outages greater than 10 days impacting business continuity¶

While there is no current failover plan should our online HR or intranet system become disrupted, we have SLAs with our vendors–which is used by thousands of other organizations–and believe the probability of sustained outage is low.